Trust Assessment
reachy-mini received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 7 findings: 5 critical, 1 high, 1 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Remote code execution: curl/wget pipe to shell, Hardcoded/Default SSH Credentials and Insecure `sshpass` Usage.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 18/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings7
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/snail3d/voice-devotional/skills/reachy-mini/SKILL.md:228 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/snail3d/voice-devotional/skills/reachy-mini/SKILL.md:231 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/snail3d/voice-devotional/skills/reachy-mini/scripts/reachy-react.sh:32 | |
| CRITICAL | Hardcoded/Default SSH Credentials and Insecure `sshpass` Usage The skill uses `REACHY_SSH_PASS` with a default value of `root` for SSH authentication. It also employs `sshpass`, which is highly insecure as it exposes the password in plain text in process lists and command history, making it vulnerable to credential harvesting. This allows unauthorized access to the robot if the default password is not changed or if the environment variable is compromised. Remove the default `REACHY_SSH_PASS` value. Strongly recommend using SSH keys for authentication instead of passwords. If passwords must be used, prompt for them securely or use a secrets management system, and avoid `sshpass`. | LLM | scripts/reachy.sh:104 | |
| CRITICAL | Remote Command Injection via `snap` command's output path The `snap` command in `reachy.sh` constructs an SSH command to execute `reachy-gst-snap.py` on the remote robot. The user-provided `output_path` (from `reachy.sh snap <output_path>`) is directly inserted into this remote command string without sufficient sanitization or escaping. A malicious `output_path` containing shell metacharacters (e.g., `"; rm -rf /"`) could lead to arbitrary command execution on the remote robot. This also enables arbitrary file writes to any location the script has permissions for. Thoroughly sanitize or escape all user-provided arguments before including them in shell commands, especially for remote execution. Consider using a more robust method for remote script execution that doesn't rely on direct shell string concatenation, or pass arguments via environment variables if possible. For file paths, validate against allowed characters and ensure they are within expected directories. | LLM | scripts/reachy.sh:300 | |
| HIGH | Local Command Injection via `raw` and `app-install` commands' JSON body The `api_post` helper function, used by `raw` and `app-install` commands, passes user-provided JSON `body` directly to `curl -d "$body"`. If the `$body` contains shell metacharacters (e.g., `{"key": "$(rm -rf /)"}`), it can lead to arbitrary command execution on the local machine running the `reachy.sh` script. Sanitize or escape user-provided JSON `body` before passing it to `curl -d`. A safer approach is to write the JSON to a temporary file and use `curl -d @temp_file.json`, or use a dedicated JSON parsing library that handles escaping. | LLM | scripts/reachy.sh:79 | |
| MEDIUM | Configurable Host Allows Redirection to Malicious Servers The `REACHY_HOST` environment variable or `--host` flag allows users to specify the target robot's IP address. While necessary for functionality, if an attacker can control this variable, they could redirect the skill to interact with a malicious server. This could lead to data exfiltration (e.g., if the skill sends sensitive commands or data to the malicious server) or command injection (if the malicious server responds with crafted data that the skill then processes insecurely). Implement strict validation for `REACHY_HOST` to ensure it points to an expected internal IP range or a known, trusted hostname. Avoid allowing arbitrary external IP addresses or domain names unless explicitly required and secured. Ensure that any data received from the configured host is also validated and sanitized before processing. | LLM | scripts/reachy.sh:10 |
Scan History
Embed Code
[](https://skillshield.io/report/a716cc9798341f45)
Powered by SkillShield